On 29 January 2015, Anthem Inc, one of the largest health benefits companies in the United States, discovered that cyber attackers had gained access to its IT system. The hackers stole personal information relating to Anthem customers and other independent health plans that work with Anthem. It is reported that about 80 million company records were affected. The compromised information included names, birth dates, medical IDs, social security numbers, residential addresses, e-mail addresses and employment information.
The Anthem data breach is one of the biggest ever to date, and the hackers may have been sponsored by a foreign government.
Does your organisation have plans in place to deal with a data breach of this kind? In the US, Anthem had to report its breach, because 47 states now have laws which make reporting of data breaches mandatory.
California, for example, has had a law since 2012 which says that businesses and government agencies must notify the government on breaches affecting more than 500 Californians. In the four years 2012 to 2016, reports on 657 data breaches were received.
According to a 2016 report by the California Attorney General, by far the greatest threat came from malware and hacking, both in the number of breaches and the number of records breached. The next biggest threats were from physical breaches (e.g. theft or loss of unencrypted data on electronic devices) and breaches caused by errors (e.g. in delivery of email).
The new Australian law
In Australia, mandatory data breach notification currently only applies in the case of unauthorised access to eHealth information under the My Health Records Act 2012(Cth). But from 22 February 2018, a new regime for reporting “notifiable data breaches” or NDBs will apply to all organisations and government agencies that are subject to the Privacy Act 1988 (Cth).
In a nutshell, under the NDB scheme:
- An eligible data breach will have to be reported to the affected individual and notified to the Australian Information Commissioner.
- An eligible data breach is where a reasonable person concludes there is a likely risk of serious harm from unauthorised access or disclosure.
- Organisations suspecting an eligible data breach will have to conduct an assessment.
- If remedial action is taken, the breach may not have to be reported.
- The Commissioner will also have the power to grant exemptions from notifying an individual.
Even though the commencement date is some months away, in our experience it’s never too early to start for these new compliance requirements.
So what should you be doing now?
The first thing is to get an understanding of what the new law will require. We have a free guide on NDBs, which you can download here. It gives you a high-level summary, so you can start to think about the changes you may need to make.
The Office of the Australian Information Commissioner (OAIC) recommends that organisations review their practices, procedures and systems for securing personal information in preparation for NDB.
For the last couple of years the OAIC has encouraged voluntary data breach reporting. It published a guide on this called Data breach notification – A guide to handling personal information security breaches. This guide is going to be updated for NDBs.
If you already have procedures for voluntary data breach notification, that’s a good start. If not, then this guide will give you some insight into the 4 key steps involved with a data breach notification plan. Those steps are:
- Contain the breach and do a preliminary assessment
- Evaluate the risks associated with the breach
- Prevent future breaches
The OAIC also says that organisations should prepare or update their data breach response plan to ensure that they are able to respond quickly to suspected data breaches. The OAIC has a Guide to developing a data breach response plan which is also going to be updated for the NDB scheme.
A data breach response plan should deal with assessing, managing and containing data breaches. It requires a communications strategy for notification and internal reporting lines and allocation of responsibilities for making decisions about actions to be taken. This may involve a response team to be convened when a data breach (or potential data breach) occurs.
On 2 June 2017, the OAIC released draft guidance on NDBs which you can access here. It includes draft guidance notes on:
- Entities covered by the NDB scheme
- Identifying eligible data breaches
- Notifying individuals about an eligible data breach
These drafts are open for comment and will be finalised in coming months. To stay updated, we suggest that you sign up to the OAIC’s Privacy Professionals Network.
While it is best to avoid the occurrence of data breaches like the one suffered by Anthem, this can’t be guaranteed in a world where data is abundant and data security is vulnerable. The NDB scheme is designed to direct what must be done when a data breach does occur. Notifying the breach is not the complete solution, but at least it allows affected individuals to plan for the possible consequences of the breach, such as identity theft.
Patrick Dwyer and Kathleen Harris